Skip to content

Hide Navigation Hide TOC

darkrace (b6aa46b3-46f5-522f-931f-b1ac57e8aadc)

DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized extension (e.g., .1352FF327) that varies per victim. Implemented as a 32-bit Windows application, it disables antivirus defenses, deletes volume shadow copies, terminates processes, and drops ransom note files for payment negotiation. Technical weaknesses in its encryption have enabled developers to produce a universal decryptor that works against DarkRace and related variants.

Cluster A Galaxy A Cluster B Galaxy B Level
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware darkrace (b6aa46b3-46f5-522f-931f-b1ac57e8aadc) Ransomware 1
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Scripting - T1064 (7fd87010-3a00-4da3-b905-410525e8ec44) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 3
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 3